Password manager online service LastPass has admitted that hackers accessed customer data when they broke into a third-party cloud system. Among other things, email addresses and passwords are said to have been found out. Nevertheless, a lot of data is sufficiently encrypted.
Background:
As early as August 2022, unknown attackers had stolen source code, which they then used to attack an employee (in December) and thus obtained the cloud access data . However, the accessed data is still protected and the customers' passwords are protected, it was said at the beginning of the month. How many customers are affected is currently unknown.
Sensitive data copied – still protected?
the company LastPass announced in a recent statement that the hackers apparently now had access to customer data such as telephone numbers, email addresses and passwords. Password vaults that were copied from a backup are said to contain encrypted data (user names, passwords), but also unprotected URLs. Although you might not think it, LastPass reminds you that URLs can also contain sensitive data that can be useful for attackers.
Nevertheless, those responsible assure that the encrypted data with 256 bit AES is effectively protected from unauthorized access. This means that in order to read this data, an attacker would have to derive a key from the master password for the customers. However, this master password is only stored on the local device of the LastPass user, which makes the likelihood of such a breach very low.
LastPass security measures
In order to constantly ensure the security of the master password, the company warns against using short and easy-to-guess passwords. These are easy for hackers to find out using brute force attacks. To ensure that such attacks are prevented as much as possible, LastPass uses the Password-Based Derivation Function 2 (PBKDF2) process.
Furthermore, the customer data is expanded to include further randomly selected character strings using a cryptological hash function and a salt value. This process itself is also repeated several times, making it much more difficult to reconstruct the master password using brute force attacks and rainbow tables .
By default, LastPass sets 100,100 PBKDF2 retries. SHA256 is used as the hash function. For this combination, the Open Web Application Security Project (OWASP) recommends 310,000 retries. LastPass users can adjust the value in their account.
Does this ensure the security of the master passwords?
According to LastPass, cracking master passwords combined with the encryption explained above and PBKDF2 would take millions of years, at least if the passwords were created according to their guidelines . This means that with weak master passwords it will most likely be faster. that they change the weak password , especially after the current incidents In addition, you should never use identical passwords for different online services. If this is the case, attackers could access many services with just one cracked password.
Business customers who use LastPass Federated Login Services do not have to worry about brute force attacks thanks to additional protection, the company assures. If this is not the case, business customers should change passwords stored in LastPass, otherwise guessing passwords could require significantly fewer attempts.
heise.de , LastPass also announced after the incident that it had rebuilt its entire IT infrastructure with additional security measures.
Source:
Heise
Also read our fact checks:
Watch YouTube and earn money?
Rip off! Falling grid frequency: Europe close to blackout?
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

